Re: pix traffic over vpn

durale1789 · ‎10-09-2006

Hi,

I d like to fix an issue i ve got with my pix. With my config i m able to ping the inside pix interface through the vpn tunnel but i can t ssh or telnet it and obviously i can t get asdm with https. Here is my config:

!

interface Ethernet0

nameif outside

security-level 0

ip address <public-ip> 255.255.255.128

!

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.21.1 255.255.255.0

access-list http-list2 extended permit ip any any

access-list UKDEVPN extended permit ip object-group UKInside object-group DEOffice

access-list UKUKOFFICEVPN extended permit ip object-group UKInside object-group UKOffice

access-list inside_nat0_outbound extended permit ip object-group UKInside object-group DEOffice

access-list inside_nat0_outbound extended permit ip object-group UKInside object-group UKOffice

access-list inside_nat1_outbound extended permit ip object-group UKInside any

access-list inbound extended permit tcp any object-group UKOutEx eq smtp

access-list inbound extended permit tcp any object-group UKOutEx eq pop3

access-list inbound extended permit tcp any object-group UKOutEx eq https

access-list inbound extended permit tcp any object-group UKOutEx eq imap4

access-list inbound extended permit tcp any object-group UKOutEx eq ssh

access-list inbound extended permit tcp any object-group UKOutEx eq 995

access-list inbound extended permit icmp object-group PublicUKOffice object-group UKOutEx

monitor-interface outside

monitor-interface inside

icmp permit <officepublicip> 255.255.255.248 outside

icmp permit any inside

asdm image flash:/asdm-501.bin

asdm history enable

arp timeout 14400

nat-control

global (outside) 1 <publicip> netmask 255.255.255.128

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 1 access-list inside_nat1_outbound

static (inside,outside) <publicip> 192.168.21.10 netmask 255.255.255.255

access-group inbound in interface outside

route outside 0.0.0.0 0.0.0.0 <internetGW>

http server enable

http <publicofficeip> outside

http 192.168.20.0 255.255.255.0 inside

http 0.0.0.0 0.0.0.0 inside

ssh 0.0.0.0 0.0.0.0 inside

i don t know why i m able to ping so the traffic is allowed and i can t ssh or telnet even if i setup the right settings as management-access inside, etc...

any help could be great.

Thanks in advance

b.hsu · ‎10-13-2006

Try to add following commands, it might solve your problem.

telnet inside

telnet timeout 5

ssh timeout 5

kaachary · ‎10-16-2006

Hi,

This should help you ;

telnet inside

ssh inside

http inside

where Remote subnet is the subnet which on the far side of the tunnel.

and you need Managment-access inside for this to work.

durale1789 · ‎10-17-2006

i m srry but i ve alredy done this modifications and no luck it still doesn t work. i really don t understand

kaachary · ‎10-17-2006

Hi,

I would like to know what code are you running on the PIX ?

Thanks

Kanishka

durale1789 · ‎10-17-2006

it is 6.3(5)

ok i think i found the solution on the logs it says traffic discarded because the host licence has exceeded.

So i will upgrade my licence ansd see if it works better

durale1789 · ‎10-18-2006

i can believe it my problem is solved and i spent many hours of troubleshoot. The solution was just about upgrading the host licence unbelievable.

can someone tell me how i can notify this post solved.

Thanks for your help

Alex